Slashdot Mirror

← Back to Stories (view on slashdot.org)

DARPA Cyber Range Project Doomed to Failure

Posted by ScuttleMonkey on from the long-way-behind-the-power-curve dept.

carusoj writes "Former black-hat hacker Noah Schiffman details why DARPA's National Cyber Range project is bound to fail. The NCR is proposed as a simulation of the Internet, including replicating 'human behavior and frailties.' Schiffman argues that if the Defense Department is really building something of this scope, it might as well use the actual Internet."

8 of 41 comments (clear)

  1. What does "failure" mean though? by biolysis · · Score: 5, Insightful

    Won't they be learning valuable lessons even if they fail to meet their mission objectives?

  2. If I had one of these by Profane+MuthaFucka · · Score: 4, Funny

    If I had a simulation of the entire Internet, it'd be all over for me. I mean, there would then be absolutely no reason for me to leave my house. I'd just sit inside all day playing with this simulation of the Internet.

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
    1. Re:If I had one of these by Hankapobe · · Score: 4, Funny

      Mmmmmm, simulated porn sites.

    2. Re:If I had one of these by SiriusStarr · · Score: 3, Funny

      Virus tank! http://www.xkcd.com/350/

      --
      Fear the penguin.
  3. By using the actual internet.... by Hankapobe · · Score: 4, Insightful
    you can't run 'what-if' scenarios and keep certain variables constant.

    On the other hand, by using the internet, the powers that be wouldn't be able to rig or dumb down any tests so that they succeed. Like they did with some of the Star Wars tests. Useful when justifying budgets to Congress.

  4. I disagree by WarJolt · · Score: 3, Insightful

    In the end, the underlying necessity of this project is an impossibility-the simulation of true human behavior. If this was possible, and one could accurately know and predict online behavior, the acceleration of these calculations would border the lines of predeterminism and precognition. This type of "sci-fi success" would render the creation of the NCR unnecessary, since it would create the ability to anticipate, know, and adequately prepare for all future cyber attacks. I don't think the goal is to reproduce human behavior, but reproduce the environment and basic human input. I'd argue that the user is not the cause of most vulernerabilities. Most vulernabilities are flaws with the applications, architectures, systems and protocols themselves. The human factor for most vulnerabilities has already been compiled into applications distributed and is ready for testing. There is already AI that searches for vulnerabilities in systems. This is just looking for it on a massive scale.
  5. I disagree... by religious+freak · · Score: 4, Interesting

    Saying that a simulated Internet for cyberwaarfare (note the new meme!) has no point is like saying a simulated Earth has no point for studying global warming. To effectively study you need controls and variables. Having real controls on the actual Internet is impossible, not to mention the fact you'd be vulnerable to surveillance.

    I also find it interesting to find that people say a realistic simulation is impossible, while in the same breath complaining this project costs too much. $30 Billion obviously won't get you 100% there, but I'll bet it'll get you there with 95% confidence. Yeah, I suppose you could argue that because that 5% exists, the project has no meaning, but any engineering effort has a little slack in it. If history is any indication DARPA should do a fairly good job at managing that risk.

    --
    If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
  6. Bogus analysis - not 30 billion. by Animats · · Score: 4, Insightful

    Nothing in the solicitation has a $30 billion price tag on it. No idea where that number came from. There are no dollar amounts at this stage; DARPA is soliciting bids.

    What DARPA is asking for is a 10,000 node Internet simulator, and that's in the final phase. The whole system can be started, stopped, and flushed to a clean state for new tests. Users are simulated: "Replicants will simulate physical interaction with device peripherals, such as keyboard and mice. Replicants will drive all common applications on a desktop environments." Attacks on the network are supported; the vendor even has to provide a "malware library".

    The simulated machines have to be simulated at a fine level of detail. "The NCR must be capable of taking a physical computer and rapidly creating a functionally equivalent, logical instance of that machine that can be replicated repeatedly and injected into a testbed. Given a never-before-seen physical computing device, create logical instantiations of the physical native machine that accurately replicates, not only the software on the machine, but hardware to the interrupt level, chipset, and peripheral cards and devices.". That's going to be hard. They may end up with real computers hooked up to peripherals that simulate human inputs. (DoD does this all the time; it's how flight control software is debugged. Serious flight simulators use the real "black boxes" of real aircraft with simulated inputs and outputs.) They need that level of fidelity because they want to observe virus and attack behavior.

    This is going to be a useful asset.